Skip to content

Latest commit

 

History

History
84 lines (63 loc) · 3.54 KB

google-security-command-center.md

File metadata and controls

84 lines (63 loc) · 3.54 KB
description
With the ilert Google Security Command Center integration, you can create alerts in ilert based on Google Security Command Center findings.

Google Security Command Center

In ilert: Create a Google Security Command Center alert source

  1. Go to Alert sources --> Alert sources and click on Create new alert source

  2. Search for Google Security Command Center in the search field, click on the Google Security Command Center tile and click on Next.

  3. Give your alert source a name, optionally assign teams and click Next.

  4. Select an escalation policy by creating a new one or assigning an existing one.

  5. Select you Alert grouping preference and click Continue setup. You may click Do not group alerts for now and change it later.

  6. The next page show additional settings such as customer alert templates or notification prioritiy. Click on Finish setup for now.

  7. On the final page, an API key and / or webhook URL will be generated that you will need later in this guide.

In Google Security Command Center: Sending notifications via Google Cloud Functions

  1. Enable finding notifications for Pub/Sub with the following guide: https://cloud.google.com/security-command-center/docs/how-to-notifications#create-notification-config
  2. Create following function example in Google Cloud Functions. Make sure to replace [WEBHOOK_URL]with the Url generated in this step.

{% tabs %} {% tab title="Go" %}

import (
	"context"
	"log"
	"net/http"
	"github.com/go-resty/resty/v2"
)

type PubSubMessage struct {
	Data []byte `json:"data"`
}

func WebhookPubSub(ctx context.Context, m PubSubMessage) {

	// Send the webhook request with the Pub/Sub message as the content
	webhookURL := "[WEBHOOK_URL]"

	client := resty.New()
	resp, err := client.R().
		SetHeader("Content-Type", "application/json").
		SetBody(m.Data).
		Post(webhookURL)
	if err != nil {
		log.Printf("Error creating webhook request: %v", err)
		return
	}

	// Check the webhook response
	if resp.StatusCode() != http.StatusAccepted {
		log.Printf("Webhook request failed with status code: %d", resp.StatusCode())
		return
	}
}

{% endtab %} {% endtabs %}

  1. Deploy the Google Cloud Function by running the following command in the terminal:

    gcloud functions deploy WebhookPubSub --runtime go116 --trigger-topic YOUR_PUBSUB_TOPIC

    Replace YOUR_PUBSUB_TOPIC with the actual Pub/Sub topic name that you want the Cloud Function to be triggered by.

FAQ

Will alerts in ilert be resolved automatically?

Yes, as soon as the state of an alert in Google Security Command Center is RESOLVED, the associated alert in ilert is resolved.